Merge branch 'master' into dependabot/github_actions/github/codeql-ac…

…tion-3.27.6
konstruktoid · Dec 4, 2024 · 1ccb1f6 · 1ccb1f6
2 parents dc1ce72 + 674aabd
commit 1ccb1f6
Show file tree

Hide file tree

Showing 11 changed files with 18 additions and 27 deletions.
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@ This is an [Ansible](https://www.ansible.com/) role designed to enhance the
 security of servers running on AlmaLinux, Debian, or Ubuntu.
 
 It's [systemd](https://freedesktop.org/wiki/Software/systemd/) focused
-and requires Ansible version 2.15 or higher.
+and requires Ansible version 2.18 or higher.
 
 The role supports the following operating systems:
 

diff --git a/meta/main.yml b/meta/main.yml
@@ -4,7 +4,7 @@ galaxy_info:
   author: konstruktoid
   description: AlmaLinux, Debian and Ubuntu hardening. systemd edition.
   license: apache
-  min_ansible_version: "2.15"
+  min_ansible_version: "2.18"
   platforms:
     - name: Debian
       versions:

diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
@@ -1331,7 +1331,8 @@
       changed_when: false
       failed_when: declare_tmout.rc != 0
       when:
-        - ansible_local.systemd.version | int < 252
+        - ansible_virtualization_type not in ["container", "docker", "podman"]
+        - ansible_systemd.version | int < 252
 
     - name: Assert compiler permissions
       when:
@@ -1393,6 +1394,8 @@
         - IdleAction={{ logind.idleaction }}
         - IdleActionSec={{ logind.idleactionsec }}
         - RemoveIPC={{ 'true' if logind.removeipc else 'false' }}
+      when:
+        - ansible_virtualization_type not in ["container", "docker", "podman"]
 
     - name: Verify StopIdleSessionSec setting
       ansible.builtin.shell: |
@@ -1406,8 +1409,8 @@
       with_items:
         - StopIdleSessionSec={{ session_timeout }}
       when:
-        - ansible_local.systemd.version | int >= 252
         - ansible_virtualization_type not in ["container", "docker", "podman"]
+        - ansible_systemd.version | int >= 252
 
     - name: Verify journal permissions
       become: true

diff --git a/tasks/facts.yml b/tasks/facts.yml
@@ -10,14 +10,6 @@
         owner: root
         group: root
 
-    - name: Add systemd version fact
-      ansible.builtin.template:
-        src: etc/ansible/facts.d/systemd.fact
-        dest: /etc/ansible/facts.d/systemd.fact
-        mode: "0755"
-        owner: root
-        group: root
-
     - name: Add cpuinfo rdrand fact
       ansible.builtin.template:
         src: etc/ansible/facts.d/cpuinfo.fact

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -306,6 +306,7 @@
   ansible.builtin.import_tasks:
     file: logindconf.yml
   when:
+    - ansible_virtualization_type not in ["container", "docker", "podman"]
     - manage_logind
   tags:
     - logind

diff --git a/tasks/umask.yml b/tasks/umask.yml
@@ -148,5 +148,6 @@
     create: false
     insertbefore: ^export
   when:
-    - ansible_local.systemd.version | int < 252
+    - ansible_virtualization_type not in ["container", "docker", "podman"]
+    - ansible_systemd.version | int < 252
     - session_timeout
diff --git a/templates/etc/ansible/facts.d/systemd.fact b/templates/etc/ansible/facts.d/systemd.fact
diff --git a/templates/etc/systemd/logind.conf.j2 b/templates/etc/systemd/logind.conf.j2
@@ -7,6 +7,6 @@ KillExcludeUsers={{ logind.killexcludeusers | join(' ') }}
 IdleAction={{ logind.idleaction }}
 IdleActionSec={{ logind.idleactionsec }}
 RemoveIPC={{ 'true' if logind.removeipc else 'false' }}
-{% if ansible_local.systemd.version | int >= 252 %}
+{% if ansible_systemd.version | int >= 252 %}
 StopIdleSessionSec={{ session_timeout }}
 {% endif %}
diff --git a/templates/etc/systemd/resolved.conf.j2 b/templates/etc/systemd/resolved.conf.j2
@@ -5,6 +5,6 @@
 DNS={{ dns | join(' ') }}
 FallbackDNS={{ fallback_dns | join(' ') }}
 DNSSEC={{ dnssec }}
-{% if ansible_local.systemd.version | int >= 239 %}
+{% if ansible_systemd.version | int >= 239 %}
 DNSOverTLS={{ dns_over_tls }}
 {% endif %}
diff --git a/templates/etc/systemd/timesyncd.conf.j2 b/templates/etc/systemd/timesyncd.conf.j2
@@ -4,6 +4,6 @@
 [Time]
 NTP={{ ntp | join(' ') }}
 FallbackNTP={{ fallback_ntp | join(' ') }}
-{% if ansible_local.systemd.version | int >= 236 %}
+{% if ansible_systemd.version | int >= 236 %}
 RootDistanceMaxSec=1
 {% endif %}
diff --git a/tests/debug_facts.yml b/tests/debug_facts.yml
@@ -43,17 +43,17 @@
 
 - name: Debug "systemd_version handling, <= 100"
   ansible.builtin.debug:
-    msg: systemd version is {{ ansible_local.systemd.version }}, <= 100
-  when: ansible_local.systemd.version <= 100
+    msg: systemd version is {{ ansible_systemd.version }}, <= 100
+  when: ansible_systemd.version <= 100
 
 - name: Debug "systemd_version handling, >= 100"
   ansible.builtin.debug:
-    msg: systemd version is {{ ansible_local.systemd.version }}, >= 100
-  when: ansible_local.systemd.version >= 100
+    msg: systemd version is {{ ansible_systemd.version }}, >= 100
+  when: ansible_systemd.version >= 100
 
 - name: Debug "systemd_version handling, info"
   ansible.builtin.debug:
-    msg: systemd version is {{ ansible_local.systemd.version }}
+    msg: systemd version is {{ ansible_systemd.version }}
 
 - name: Get DSA keys
   ansible.builtin.debug: